RFID technique is based on reading information stored in electronic form on a so-called electronic tag (in short, e-tag) and is used for a number of applications requiring object tracking, such as logistics, stock management and inventories, road toll payment, and so on.
At present, use of this technique is being proposed also for a variety of information services, such as provision of tourist information, commercial information and the like: here, the tags should store a short description of monument located in their vicinity or to which they are affixed, or lists of restaurants, shops, museums in a certain town area, etc.
An important issue when using electronic tags is the integrity and the security of the data stored on the tags.
U.S. Pat. No. 6,480,100 describes a method of formatting an electronic tag, so as to allow storing data in a customised format. A tag user can define a data format and a format name, at least the latter being stored in the tag. The format name is detected by a tag interrogator and used to retrieve the specific format descriptor, which can be a remote file, stored on a floppy disk or in a processor or accessible via the Web. The format descriptor is then used to parse and interpret the information stored in the tag itself. In case the tag is used by different users, each of them can define a specific data format on a respective tag portion. This invention specifies also the possibility to protect some parts of the data stored in the tag using a data integrity check (i.e. CRC).
A limitation of this method is that it is only intended to allow customised data formatting by different users and to ensure data integrity using a CRC method.
US-A 2003/0006578 and U.S. Pat. No. 5,469,363 disclose techniques more sophisticated than using a CRC for preventing or discovering data tampering on smart tags, including electronic tags.
In particular US-A 2003/0006578 discloses a method for encoding data stored in a smart tag including a memory having a permanent number stored in a first portion thereof that cannot be changed, and having a second portion in which information can be stored. Application specific information is stored in the second portion of the smart tag memory, together with a relational check number representative of one of (a) the application specific information and (b) the application specific information and the permanent number.
U.S. Pat. No. 5,469,363 discloses an inventory control system using an electronic tag that keeps an unalterable log of each step in the handling of a controlled item. As a countermeasure against sophisticated theft attempts involving communicating with the smart tag to defeat the security system by learning the password and thereafter altering identification records, the tag permits only a limited number of attempts to read out the secret identification number.
In case of a multi-user, multi-service tag more than one party can be involved in the data management on the e-tag. Considering the preferred application in a wireless scenario, besides the end users, also the wireless network operator and/or the service operator (if different from the network operator) together with one or more commercial users or customers (the providers of the individual information services offered on the tag) need to access the data. Some data might be relevant only for one of the parties and be proprietary data, requiring specific security measures for access control and data communication. For example, a network/service operator who wants to deliver a multiplicity of RFID-based services to different user categories will have to share the data storage area of a tag with its commercial customers. For doing that, the operator should have the possibility to rely on proprietary data fields on the tag, with a common data format to manage different customers and services. In the same way, the commercial users (shops, restaurants, public administrations . . . ) need to have their own data fields for delivering information services to the end user and for storing their management information. The management information is proprietary and in some cases it has to remain confidential, thus requiring security measures, both on the network/service operator side and on the end user side. In fact, some information stored on the tag can be useful only for the commercial user who wants that neither the end user nor the network operator can access it.
Thus, the need arises for controlling the access to an electronic tag by different categories of users in order each of said categories or each of said users is allowed to access only the contents of certain tag portions. In this way, not only the data integrity, but also the data confidentiality, are assured.